Closed ddxl123 closed 4 years ago
exp
is the timestamp after which you don't accept a token anymorenbf
is the timestamp before which you don't accept a token yetTimestamps are always evaluated by whomever is consuming the token. In general it is best practice to allow a reasonable clock skew when it comes to evalution, but JWT as a format does not deal with local time setting tampering. At some point there needs to be an authority that knows its local time setting is correct that also processes the JWT.
Closing, feel free to reopen if you need any further clarifications
Is the expiration time based on the client system time or the server system time? If it is a client, how to prevent the client system time from being tampered with? If it is a server, how to prevent the server system time from being tampered with? And, what is the difference between expiresIn and notBefore?